CVE-2026-42245

Summary

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

Affected Software

VendorProductVersion RangeStatus
rubynet-imap< 0.4.24affected
rubynet-imap>= 0.5.0, < 0.5.14affected
rubynet-imap>= 0.6.0, < 0.6.4affected

Weaknesses

  • CWE-407: CWE-407: Inefficient Algorithmic Complexity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References